Custom ESLint rule to disallows unsafe innerHTML, outerHTML, insertAdjacentHTML and alike

Перейти к файлу

Frederik Braun 3c82cab235 Docs: split out documentation per-rule and add files for fixing violations and customization		2017-07-18 13:05:09 +02:00
docs/rules	Docs: split out documentation per-rule and add files for fixing violations and customization	2017-07-18 13:05:09 +02:00
lib	Fix: support for logical and condition (i.e., ternary) expressions	2017-05-31 12:34:33 +02:00
tests/rules	Fix: support for logical and condition (i.e., ternary) expressions	2017-05-31 12:34:33 +02:00
.eslintrc	Enable ESLint rules require-jsdoc and valid-jsdoc, also reformatting the eslintrc (fixes #52 )	2017-04-24 08:38:42 +02:00
.gitignore	Custom rules for configuring rules. Fixes #29 (#51 )	2017-04-21 16:52:12 +02:00
.travis.yml	Prepare 1.0.15 (#12 )	2016-09-30 13:22:50 +02:00
CHANGELOG.md	Version bump to 2.0.0 (#53 )	2017-05-09 08:58:05 +02:00
NOTES	adding note to NOTES	2017-03-21 09:56:23 +01:00
README.md	Fix typo in README.md (#58 )	2017-05-29 10:17:50 +02:00
SCHEMA.md	Custom rules for configuring rules. Fixes #29 (#51 )	2017-04-21 16:52:12 +02:00
index.js	Fix default rule setup and README (#55 )	2017-05-15 15:58:51 +02:00
package.json	Release: v2.0.1	2017-06-02 11:55:08 +02:00

README.md

Disallow unsanitized code (no-unsanitized)

These rules disallow unsafe coding practices that may result into security vulnerabilities. We will disallow assignments to innerHTML as well as calls to insertAdjacentHTML without the use of a pre-defined escaping function. The escaping functions must be called with a template string. The function names are hardcoded as Sanitizer.escapeHTML and escapeHTML.

Rule Details

The rule disallows unsafe coding practices while trying to allow safe coding practices.

Here are a few examples of code that we do not want to allow:

foo.innerHTML = input.value;
bar.innerHTML = "<a href='"+url+"'>About</a>";

A few examples of allowed practices:

foo.innerHTML = 5;
bar.innerHTML = "<a href='/about.html'>About</a>";
bar.innerHTML = escapeHTML`<a href='${url}'>About</a>`;

This rule is being used within Mozilla to maintain and improve the security of our products and services.

Install

With yarn or npm:

$ yarn add -D eslint-plugin-no-unsanitized
$ npm install --save-dev eslint-plugin-no-unsanitized

Usage

In your eslint.json file enable this rule with the following:

{

    "plugins": ["no-unsanitized"],
    "extends": ["plugin:no-unsanitized/DOM"]
}

Or:

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": "error",
        "no-unsanitized/property": "error"
    }
}

Advanced configuration

{
    "plugins": ["no-unsanitized"],
    "rules": {
        "no-unsanitized/method": [
            "error",
            {
                disableDefault: true,
                escape: {
                    taggedTemplates: ["safeHTML"]
                }
            },
            {
                html: {
                    properties: [0]
                }
            }
        ],
        "no-unsanitized/method": [
            "error",
            {
                escape: {
                    taggedTemplates: ["safeHTML"]
                }
            },
            {
                innerHTML: {
                    objectMatches: ["document.*"]
                }
            }
        ]
    }
}

See all available options